To read this content please select one of the options below:

Establishing information security policy compliance culture in organizations

Eric Amankwa (Department of Information and Communication Technology, Presbyterian University College Ghana, Abetifi, Ghana and School of Computing, University of South Africa, Pretoria, South Africa)
Marianne Loock (School of Computing, University of South Africa, Pretoria, South Africa)
Elmarie Kritzinger (School of Computing, University of South Africa, Pretoria, South Africa)

Information and Computer Security

ISSN: 2056-4961

Article publication date: 8 October 2018

Issue publication date: 8 October 2018

1619

Abstract

Purpose

This paper aims to establish that employees’ non-compliance with information security policy (ISP) could be addressed by nurturing ISP compliance culture through the promotion of factors such as supportive organizational culture, end-user involvement and compliance leadership to influence employees’ attitudes and behaviour intentions towards ISP in organizations. This paper also aims to develop a testable research model that might be useful for future researchers in predicting employees’ behavioural intentions.

Design/methodology/approach

In view of the study’s aim, a research model to show how three key constructs can influence the attitudes and behaviours of employees towards the establishment of security policy compliance culture (ISPCC) was developed and validated in an empirical field survey.

Findings

The study found that factors such as supportive organizational culture and end-user involvement significantly influenced employees’ attitudes towards compliance with ISP. However, leadership showed the weakest influence on attitudes towards compliance. The overall results showed that employees’ attitudes and behavioural intentions towards ISP compliance together influenced the establishment of ISPCC for ISP compliance in organizations.

Practical implications

Organizations should influence employees’ attitudes towards compliance with ISP by providing effective ISP leadership, encouraging end-user involvement during the draft and update of ISP and nurturing a culture that is conducive for ISP compliance.

Originality/value

The study provides some insights on how to effectively address the problem of non-compliance with ISP in organizations through the establishment of ISPCC, which has not been considered in any past research.

Keywords

Citation

Amankwa, E., Loock, M. and Kritzinger, E. (2018), "Establishing information security policy compliance culture in organizations", Information and Computer Security, Vol. 26 No. 4, pp. 420-436. https://doi.org/10.1108/ICS-09-2017-0063

Publisher

:

Emerald Publishing Limited

Copyright © 2018, Emerald Publishing Limited

Related articles